The Hacker News — Cyber Security, Hacking, Technology News

A security researcher has discovered an interesting loophole in Gmail Android app that lets anyone send an email that looks like it was sent by someone else, potentially opening doors for Phishers.

This is something that we call E-mail Spoofing – the forgery of an e-mail header so that the email appears to have originated from someone other than the actual source.

Generally, to spoof email addresses, an attacker needs:

A working SMTP (Simple Mail Transfer Protocol) server to send email

A Mailing Software

However, an independent security researcher, Yan Zhu, discovered a similar bug in official Gmail Android app that allowed her to hide her real email address and change her display name in the account settings so that the receiver will not be able to know the actual sender.

How to Send Spoofed Emails via Gmail Android App?

To demonstrate her finding, Zhu sent an email to someone by changing her display name to yan ""security@google.com" (with an additional quote). You can see the below screenshot posted by Zhu on her Twitter timeline.

"[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible," Zhu told Motherboard.

Once received, the email address could trick the receiver into believing that the mail has arrived from a legitimate Gmail security team, which is not.

Google – 'The Bug isn't a Security Vulnerability'

Zhu reported the loophole to Google's Security team at the end of October, but the team disapproved her bug report, saying the bug is not a security vulnerability.

"Thanks for your note, we do not consider this [bug] to be a security vulnerability," a Google Security Team member told Zhu.

Learn to Read Email message headers, and Trace IP addresses – Tracking down the source of spam is a good practice. When you receive a suspicious email, open the header, and see if the IP address of the sender matches up with previous emails from the same person.

Never Click on a Suspicious Link or Download an Unfamiliar Attachment – Always pay attention to the emails you receive and avoid clicking links in email or downloading email attachments. Go to your bank's official website, or other websites directly from the browser and log into your account to find what they want you to see.

Google is offering its users a completely new and better experience of its mailing service. And in an effort to do this, the company has launched a new email service, an alternative to Gmail, called "Inbox" on Wednesday that aims to make email more useful and preview next-generation capabilities.

Inbox will not replace Gmail, the company's popular 10-year-old email product, instead it will sit next to its Gmail service and will provide users' better organize their emails with live alerts for appointments, flight bookings and package deliveries in a more user-friendly way.

"Years in the making, Inbox is by the same people who brought you Gmail, but it's not Gmail: it's a completely different type of inbox, designed to focus on what really matters," wrote Sundar Pichai, Google’s senior vice president of Android, Chrome and apps, in a blog post.

According to the company, the Inbox service was designed to deal with the problem of getting too much email, in which the important and most urgent messages get lost amidst junk messages and endless threads.

Inbox solves this problem and displays only real-time updates to emails - for example, showing the delivery status of items bought online, showing reminders in a more accessible way that allows users to more easily keep track of their important chores and appointments.

"With this evolution comes new challenges: we get more email now than ever, important information is buried inside messages, and our most important tasks can slip through the cracks—especially when we’re working on our phones," the company noted. "For many of us, dealing with email has become a daily chore that distracts from what we really need to do—rather than helping us get those things done."

Find travel docs, photos and other critical information without opening the email.

Video Demonstration:
You can also have a look to its video demonstration:

The tech giant has made the new Inbox app available on the Web as well as on Android smartphones and iPhones, but we have access to the limited release, as it is being distributed via Google's tried-and-true invite system.

The company sent out invitations to selected Gmail users to try out the new service, but users were allowed to email the company at inbox@google.com to get an invitation. Inbox app is available on Google Play Store and it also appears to be on the iOS App Store.

Google has failed to provide a very important security measure in its Gmail application for iOS that left millions of its Apple device users to Man-in-the-Middle (MitM) attacks capable of monitoring encrypted email communications.

Researcher at mobile security firm Lacoon has discovered that Google’s Gmail iOS application, run on Macintosh mobile devices, does not perform what’s known as “certificate pinning” when establishing a trusted connection between the mobile applications and back-end web services, which means an attacker can view plaintext emails and steal credentials in MitM attack.

WHAT IS CERTIFICATE PINNING

Certificate Pinningis a process designed to prevent user of the application from being a victim of an attack made by spoofing the SSL certificate. Certificate pinning automatically rejects the whole connection from sites that offer bogus SSL certificates and allow only SSL connections to hosts signed with certificates stored inside the application, which ensures that you are protected against fraudulently issued certificates.

For example, if you access Google.com from your browser, it will trust the certificate if it's signed by Verisign, Digicert or any trusted Certificate Authority, but if you will connect to a Google server via an app on mobile, it will only trust the certificates signed by Google itself.

NO RESPONSE FROM GOOGLE

The company said it reported the vulnerability to Google at the end of February. Google validated the problem and told the company it was fixed, but still the security vulnerability remains exploitable in Gmail’s iOS app at the time of writing, according to the blog post published Thursday. Google has not yet responded to the issue.

“Several months after providing responsible disclosure, Google has not provided information regarding resolution and it still remains an open vulnerability,” said Michael Shaulov, CEO and co-founder of Lacoon Mobile Security. “This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack.”

SEVERITY OF THE FLAW

The vulnerability allows the attackers to generate bogus certificates from configuration profiles, according to the researcher Avi Bashan of Lacoon Mobile Security, the firm that found the vulnerability.

For a successful MitM attack, it is important for an attacker to install a configuration profile on the iOS device, and this could be done by tricking users into downloading the configuration profile by sending out mass phishing emails containing a link.

"The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA [certificate authority] is what enables the threat actor to create spoofed certificates of legitimate services," said Avi Bashan. "It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation."

ATTACK VECTORS

Bashan explained four simple steps that are required to perform MitM attack by exploiting the vulnerability. These are as follows:

Hacker tricks victim into installing a configuration profile containing the root certificate and the details of the server to reroute the traffic to. (Note: to do this, a threat actor can use a variety of social engineering methods such as sending an email, purportedly from the IT department, requesting to install the configuration profile.)

Reroutes victim’s traffic through the server under the threat actor’s control, defined by the malicious configuration profile.

Creates spoofed certificates which are identified as valid by the victim’s device.

Intercepts all traffic between the attacked device and intended server.

USERS OF ANDROID AND OTHER OS ARE ON THE SAFER SIDE

The certificate pinning flaw does not affect the Gmail applications running on Google’s Android or any other operating system. The vulnerability also does not affect those Gmail users who access their email on iOS through Apple’s Mail application.

Until the flaw addressed, iOS users are being advised to take precautions.